Is Kerberos RC4-HMAC vulnerable to Bar Mitzvah Attack?

1
votes

My Java application uses kerberos to authenticate to Windows Active Directory KDC and it is using RC4-HMAC for default_tkt_enctypes, default_tgs_enctypes, permitted_enctypes in krb5 configuration file.

By replacing RC4-HMAC with aes128-cts-hmac-sha1-96 the application gives following KrbException with status code 14.

message: KDC has no support for encryption type javax.security.auth.login.FailedLoginException: Login error:

My question is whether Kerberos is vulnerable to RC4 Bar Mitzvah attach? If yes, how to resolve this with the above exception.

2
javaactive-directorykerberos

2 Answers

0
votes

Usually, no one gets attacked on a Bar Mitzvah, at least no one was at mine but you use AES you need the unlimited policy file for your JDK. This is due to crypto export restrictions. Please see: How to avoid installing "Unlimited Strength" JCE policy files when deploying an application?

Please also make sure that you KDC, e.g., Active Directory is at least Windows Server 2008. 2003 does not support AES.

0
votes

I have reported my view of the problem with KrbException 14 and default_tkt_enctypes not having rc4-hmac over at KDC has no support for encryption type (14)